To:
dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
6 Feb 2001 20:29:56 -0000
Content-Disposition:
inline
Sender:
owner-dnsop@cafax.se
Subject:
Re: Bogus nic.fr behavior
Nilsson writes: > TCP and UDP are mandatory, regardless of query size. False. RFC 1123 _recommends_ TCP. Query size was explicitly identified as the reason for this recommendation: the authors believed that new DNS record types would someday require packets larger than 512 bytes. Of course, TCP is required for zone transfers, but zone transfers aren't required for servers. A pure secondary server, or a primary server that uses (say) rsync for replication, doesn't need outgoing zone transfers. I recommend against TCP service on DNS servers that don't need it. TCP makes the machine unnecessarily vulnerable to denial-of-service attacks: opening a bunch of TCP connections will chew up memory and slow down UDP service much more effectively than a UDP flood at the same speed would. > it is far more likely that a generally mis-managed server would fail > there (and in localhost reverse) than a server that is correctly managed. Perhaps that's true for BIND. But my DNS server goes to great effort to help new DNS administrators create correct configurations, and it does _not_ provide lame root information by default. As I said, there's a cost to keeping that information up to date. > Also, most people still fail to understand the difference between name > serving and caching resolver. My software follows the RFC 1035 model and separates these two services. The cache and the server run on separate IP addresses, exactly as ISPs have learned to do with BIND. Do you want to penalize software that does things right? ---Dan